Privacy Law Blog
Knowledge Centre

5 Key Lessons from the LifeLabs Data Breach Case

February 24, 2025

When a cybersecurity breach hits, it’s like a domino effect. Suddenly, everyone’s involved – lawyers, internal personnel, outside experts, you name it. A responding organization or public body will usually take steps to investigate, whether it be as a matter of internal business procedure, compliance with statutory obligations, seeking or obtaining legal advice, or preparation for anticipated litigation.

Often these purposes overlap, which raises the question: what information in the investigation file is privileged? This key question was recently addressed in the case of LifeLabs LP v. Information and Privacy Commr. (Ontario), 2024 ONSC 2194.

By way of background, LifeLabs provides laboratory testing across Canada. In 2019, LifeLabs experienced a data breach. The data breach resulted because a software patch had not been installed. Cyber-attackers gained access to LifeLabs systems and during that year gained the personal health data of millions of Canadians. The cyber-attackers then demanded payment for the return of the data. LifeLabs paid and in exchange the cyber-attackers agreed not to release the data on the internet.

The LifeLabs data breach primarily affected Ontario and British Columbia residents, prompting investigations by both provinces’ Information and Privacy Commissioners (IPC). LifeLabs claimed privilege over requested documents, but the Court upheld the IPCs decision to reject these claims, ruling that statutory obligations override privilege for facts related to privacy breaches, and that health information custodians cannot evade their responsibilities by placing breach-related facts in privileged documents.

The LifeLabs data breach case offers valuable insights for organizations handling sensitive personal data. Here are some key takeaways from this significant incident:

1. Strengthen Cybersecurity and Limit Data Collection: Organizations must implement robust security measures, including regular audits and strong encryption. Adopting a data minimization approach by collecting only necessary information can reduce breach impacts and risk exposure.

2. Develop Comprehensive Incident Response Plans: Create well-documented, regularly tested plans with clear procedures for breach detection, containment, and notification. Define roles and responsibilities, including when to engage external support. Conduct regular drills to ensure readiness.

3. Understand Legal Privilege Limitations: Recognize that statutory obligations can override legal privilege claims, especially for facts related to privacy breaches. Be prepared to disclose factual information about breaches, even if contained in privileged documents.

4. Balance Legal and Regulatory Compliance: Work closely with legal counsel to develop strategies that fulfill obligations while protecting legitimate privileges.

5. Foster a Security-Minded Culture and Ensure Transparency: Promote ongoing security education and awareness among employees. In the event of a breach, prioritize transparent communication with affected individuals, providing clear information about risks and protective measures to maintain trust and mitigate reputational damage.

By learning from these lessons, organizations can better protect sensitive data, prepare for potential breaches, and navigate the complex legal and regulatory landscape that follows such incidents. For more information about this and other privacy related matters, get in touch with the author, Jaeda Lee, or any other member of our Privacy and Data Protection Group.

Expertise

Important Notice: The information contained in this Article is intended for general information purposes only and does not create a lawyer-client relationship. It is not intended as legal advice from Harper Grey LLP or the individual author(s), nor intended as a substitute for legal advice on any specific subject matter. Detailed legal counsel should be sought prior to undertaking any legal matter. The information contained in this Article is current to the last update and may change. Last Update: February 24 2025.

Related

Kimberly Jakeman, KC included in <em>Lexpert Special Edition: Health Sciences 2026</em>
Kimberly Jakeman, KC included in <em>Lexpert Special Edition: Health Sciences 2026</em> Kimberly Jakeman, KC included in Lexpert Special Edition: Health Sciences 2026
Mandeep Gill included in <em>Lexpert Special Edition: Health Sciences 2026</em>
Mandeep Gill included in <em>Lexpert Special Edition: Health Sciences 2026</em> Mandeep Gill included in Lexpert Special Edition: Health Sciences 2026
Cameron Elder included in <em>Lexpert Special Edition: Health Sciences 2026</em>
Cameron Elder included in <em>Lexpert Special Edition: Health Sciences 2026</em> Cameron Elder included in Lexpert Special Edition: Health Sciences 2026
Caryna Miller re-elected to Pacific Community Resources Society Board of Directors
Caryna Miller re-elected to Pacific Community Resources Society Board of Directors Caryna Miller re-elected to Pacific Community Resources Society Board of Directors
William Clark included in <em>Lexpert Special Edition: Health Sciences 2026</em>
William Clark included in <em>Lexpert Special Edition: Health Sciences 2026</em> William Clark included in Lexpert Special Edition: Health Sciences 2026
Rose Keith, KC, Nicola Virk and Jasmine Kang attend Canadian Bar Association Summer Social
Rose Keith, KC, Nicola Virk and Jasmine Kang attend Canadian Bar Association Summer Social
We are pleased to announce the expansion of our practice to include a dedicated focus on Strata Property Law
We are pleased to announce the expansion of our practice to include a dedicated focus on Strata Property Law
Prentice Durbin, Rose Keith, KC, and Ryan Chan Participate in Canadian Bar Association Panel
Prentice Durbin, Rose Keith, KC, and Ryan Chan Participate in Canadian Bar Association Panel
Kara Hill attends Pacific Community Resources Society AGM
Kara Hill attends Pacific Community Resources Society AGM Kara Hill attends Pacific Community Resources Society AGM
Noah Robinson-Dunning joins Harper Grey as an Associate
Noah Robinson-Dunning joins Harper Grey as an Associate Noah Robinson-Dunning joins Harper Grey as an Associate
BC Human Rights Tribunal Changes its Process for Applications to Dismiss
BC Human Rights Tribunal Changes its Process for Applications to Dismiss BC Human Rights Tribunal Changes its Process for Applications to Dismiss
Rose Keith, KC authors Mediation Moment column for Summer 2026 Issue of <em>The Verdict</em> 
Rose Keith, KC authors Mediation Moment column for Summer 2026 Issue of <em>The Verdict</em>  Rose Keith, KC authors Mediation Moment column for Summer 2026 Issue of The Verdict 
Harper Grey included in Business in Vancouver’s “Biggest Law Firms in Metro Vancouver” List
Harper Grey included in Business in Vancouver’s “Biggest Law Firms in Metro Vancouver” List
Norm Streu co-authors article published by Construction Business Magazine
Norm Streu co-authors article published by Construction Business Magazine Norm Streu co-authors article published by Construction Business Magazine
Rebecca Dales, Joshua Hoenisch, Jasmine Kang, and Brendan Semchuk attend JFS Innovators 2026
Rebecca Dales, Joshua Hoenisch, Jasmine Kang, and Brendan Semchuk attend JFS Innovators 2026
arrow icon

Subscribe